TrickBot is a traditionally Windows based crimeware botnet that has been utilized by threat actors since 2016. It performs a wide range of malicious activities on target networks, including credential theft and as a conduit to perpetrate ransomware attacks. Due to the efforts of Microsoft and US Cyber Command, over 90% of TrickBot’s command and control (C2) servers have been eliminated. TrickBots’s authors have since moved portions of their code to Linux in attempt to widen the scope of victims. A TrickBot backdoor framework called Anchor was discovered in 2019 using the DNS protocol to secretly communicate with C2 servers. In July, a variant dubbed Anchor_DNS was discovered being ported to a Linux backdoor version called Anchor_Linux. Even after the initial takedown of the TrickBot, Microsoft expected the threat actors to attempt to continue their operation.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in